2. Security weaknesses and vulnerabilities
Mobile devices
Smartphone sales are increasing
►
3Q13
%
100
81.9
80
3Q12
►
Malware goes mobile
Source: Gartner.com
Source: Eset.com
TrojanSMS.Agent
TrojanSMS.Boxer
72.6
DroidKungFu
60
40
FakePlayer
12.114.3
20
3.6 2.3
1.8 5.2
Microsoft
Blackberry
0
0
Android
iOS
Variants in 2012
20
40
60
80
Variants in 2011
100 120 140 160
Variants in 2010
Security threats and malware are constantly present
►
August
April
July
February
July
September
► Weakness in SSL cert
handling exposes data
to interception (iOS)
► NotCompatible gains
access to local network
preferences (Andriod)
► LuckyCat opens a
backdoor that allows
remote acces (Android)
► Lock screen of
iPhone can be
circumvented (iOS)
► The Android “Master
Key” Exploit
► iOS 7 Lock Screen
Vulnerability
Discovered
2013
2012
2014
September
May
July
April
September
► HTC phone vulnerability
leaks personal data
(Android)
► FakeInst SMS Trojan
cost end-users 30
Miljon dollars (Android)
► SMSzombie that
abuses china’s SMS
payment (Android)
► Apparent security
certificate turns out to
be Android malware
► Banking Trojans
disguise attack targets
in the cloud
Page 2
EY - App Alliance WG meeting – 20 November
3. Application weaknesses and vulnerabilities
More than meets the eye
►
Bypass
authentication or
authorization
controls
Bypass validations or
manipulate application
business logic
Application code review
Page 3
►
...or here
►
What about injection attacks?
►
Session management?
►
Side channel data leakage?
►
Sensitive information disclosure?
►
SSL/
Insecure
TLS
data
storage
Most tests stop here…
Phishing attacks?
►
Application and library permissions?
EY - App Alliance WG meeting – 20 November
4. Mobile Application Security
Most common issues
1. There is too much business logic in the application
►
►
The mobile devices hold the actual application binary
It’s safer to perform business logic validation on central systems (e.g.
web service/web server)
2. SSL/TLS not/not properly implemented
►
►
Certificates’ validity are not often checked
Consider certificate pinning – works perfect for mobile apps!
3. Insecure local data storage
►
►
Page 4
Passwords stored in databases
Personal information is stored without consent of the user (re Privacy
legislation)
EY - App Alliance WG meeting – 20 November
5. Mobile Application Security Testing
Our approach
Communication channel
Mobile Device
Objective: Identify vulnerabilities on the
applications - Android, iOS or Windows.
Server-side controls
Objective: Identify vulnerabilities on the
data communication channel.
Objective: Identify vulnerabilities on the
server side of the mobile application.
Reverse engineer the binary using tools
such as:
► Clang (static code)
► GDB
► IDA (Pro)
► Class-dump-z
► …
►
Mobile applications are highly likely to
operate on insecure wireless networks.
►
Perform an in-depth penetration test of
the server-side application.
►
It is essential to review the network
protocols the application uses to
communicate with the server-side
application.
►
Perform an in-depth penetration test of
the web services or API services.
►
Use the information found on the local
device to leverage our success.
and investigate the source code for
passwords, server-side keys, … but also
learn how the application works!
►
►
►
Perform data analysis by looking for
sensitive data in databases, logs, backups, cached files, debug messages, …
►
Verify application’s permissions.
►
Analyze application’s business logic.
►
The use of SSL/TLS is confirmed both
though code review and the Burp Suite
proxy tool.
Perform security tests similar to other
web applications tests (e.g. session
management, authentication
management, …).
Page 5
EY - App Alliance WG meeting – 20 November
6. EY
Our recommendations
►
►
Developers: start with security in mind!
Understand the threats:
►
►
►
►
On the application
On the channel
On the server side
Don’t store sensitive data on the device
►
without consent of the user and without the ability for the user to remove
his/her personal information
►
Understand the mobile platform of your application
Understand your audience
►
Assess your application
►
Page 6
EY - App Alliance WG meeting – 20 November